March, 2007
Safeguarding Electronic Patient Records
Jeffrey D. Jacob
Am I in compliance with HHS Security Regulations Administrative Safeguards (section 164.308)?
Every orthodontist should be able to answer this question, yes. Summarized, these safeguards require a Covered Entity to have the following:
- Data backup plan. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
- Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.
- Emergency mode operation plan. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Despite these common-sense HIPAA requirements, the reality is that few doctors actually have sufficient safeguards in place and are but one natural disaster away from possible catastrophic loss!
Many doctors backup patient data to tapes or other media and take the backup home for protection; yet most live in fairly close proximity to their offices. So what happens to patient records, and the backup, if a Katrina-level hurricane (or other cataclysmic event) hits their area? And even if the backup is safe, what happens if it doesn’t work or the media / device containing it is defective (both are common occurrences)?
Compliance with Section 164.308 is most easily achieved by using an offsite data storage company that utilizes safeguards and measures no orthodontic practice could ever afford on its own. Electronic Data Protection (EDP) is such a company and it offers plans that provide the following:
- Fully automated, HIPAA-compliant, 128-bit SSL-encrypted backups of data, images, etc. are made on the frequency chosen by the orthodontist, which is usually daily.
- Backups that are stored in a highly-secure EDP datacenter and then, as a safeguard, replicated and stored in a second EDP datacenter. (The datacenters are located in Los Angeles & St. Louis.)
- Datacenters guarded 24x7x365 by on-site personnel and video surveillance; with access restricted to designated personnel. Both datacenters offer total redundancy in: fire protection; fiber optic cabling; electrical power (backup power includes battery UPS & diesel generators); and, concurrent connectivity to two or more of the world’s largest Internet backbones.
- Data that is always available for rapid restoration 24x7x365. If the stored data volume prevents fast restoration over the Internet, it can be provided on DVDs or an external HD and sent by overnight delivery service or on a ‘next flight out’ basis via the airlines, whichever is requested.
What is EDP’s fee for this ‘data insurance’ and the doctor’s peace of mind: 44 cents a day for 5GB of storage!
For those who need it, EDP also offers instantaneous Disaster Recovery Service. The orthodontist’s data and program application reside on powerful servers (in EDP datacenters) setup for access over the Internet via Embedded Terminal Emulation within a web browser and data is replicated as it is altered. In an emergency, a call to EDP’s support center can make the entire system instantly available for access, 24x7x365, on as many workstations as needed.
Since the low-cost safeguards described above are only available for electronic records, prudence would seem to dictate that all patient records should be converted to electronic form and stored, which begs the questions below about what makes up the patient record and how long it should be retained. The answers to these questions were furnished by the American Association of Orthodontists (AAO) and are viewable on the California Association of Orthodontists’ website. (The information was accessible as of January 25, 2007 and was found at http://cao.aaomembers.org/practice/records.cfm.)
What Constitutes Patient Records?
The AAO’s answer was: “These records include, but are not limited to, charts, x-rays, models, appointment books, correspondence to and from the patient, phone records, medical history forms, the patient contract, the signed informed consent form and interoffice memos relating to the patient.”
How Long Should Patient Records Be Maintained?
These three key points were provided by the AAO in response to this question:
- “At a minimum, patient records must be kept for the applicable statute of limitations period. This period is the time within which an action may be brought for malpractice, and varies on a state-by-state basis. Generally, these periods range from five to 15 years.”
- “Although the need to maintain records should be balanced against the practical aspects of such storage (i.e., costs, space, etc.), the best approach is simply to retain the records indefinitely because of the valuable information the records contain.” [Emphasis added]
- “The practical difficulties of maintaining records indefinitely can be minimized by transferring some of the records to microfiche or, in some cases, videotaping the models.”
EDP’s services enable orthodontists to follow the AAO’s recommendations. If they are not already electronic, an inexpensive flatbed scanner can allow orthodontic staff to scan in all the items that make up the records described above. The ensuing electronic records could then be maintained economically and in the safest environment possible. It would also be much easier to ‘find’ a particular patient record should the need ever arise.
All the ‘physical’ components that make up the records could be removed from the orthodontic office and stored in less expensive space elsewhere. Without a doubt, most offices would be able to make very good use of the space ‘freed up’ by this action!
Summary
For as little as 44 cents a day EDP offers orthodontists:
- Compliance with HHS Security Regulations Administrative Safeguards Section 164.308.
- Peace of mind that stored electronic patient records will always be available.
- 24x7x365 data restorations from either of its two datacenters.
- A cost-effective way to archive and retain all records indefinitely, as suggested by the AAO.
- The ability to remove the physical records of inactive patients from the office – freeing up space.
- Elimination of daily data backups by the office staff and the costly media they require.
Contributed by:
Jeffrey D. Jacob
Vice President-Technology of Electronic Data Protection
